You just look for the string "http://". But there is one problem with this generally solution. You can easily by pass such Javascript "protections". So you need to check for links in the server code too and reject them.